Hi Arne

i cant see what source u r referencing to exactly...  

perhaps @Arne Bier  was referencing this https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

from stuff i've learnt recently replacement of the Auto Smart Port is almost useless as switches fails to apply ISE's sent authorization accept if locally configured interface template change host mode. because most requirement is not only to change switchport access to trunk etc but also to change .1x host mode.

Thanks @Jason Kunst  - I forgot the paste command -had it all ready to go. That’s the one. My customer deployed 9300 and 9400 switches and would be a shame not to use IBNS 2.0 - esp on 9400 because there are lots of ports on that chassis. Config looks tidier with 2.0. And we also used the auth fail stuff. I didn’t get as far as using user role assignment. This is like persistence if ise should fail. It will cache the role of a Mac and then apply it in the event ise doesn’t respond. It’s like auth fail vlan/acl on steroids. 

Hi Arne,

tons of 10x for valuable input. btw do u know if Cat9Ks with Fuji 16.9.2 support multple VLAN authorization on access port? docs i've read so far stated only limited platforms support it (like BRKSEC-2691 states f.e.):

Per MAC VLAN Assignment
58
•Before Cat3850 / Cat3650: One port, one VLAN per access port (1:1)
•Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN)
•Later: Allowing VLAN assignment on multi-authentication ports, but first device ‘rules’ the port.
•Now with Catalyst 2960X, 3850 & 3650: Each session can have individual VLAN assigned
•2960X 15.2(2)E
•C3850 03.03.00SE
•C3650 03.03.00SE

right now i have C9K deployment under 17.3.4 with 2 endpoints connected the single switch port & got authorized in different VLANs. Effectively traffic passes only for one of them (those which VLAN is show as operational access vlan in sho interfa X swit)